Chapter 12

Cryptographic
Hash Functions

12.1

122SHA512
SHA-512 is the version of SHA with a 512-bit message
digest. This version, like the others in the SHA family of
algorithms, is based on the Merkle-Damgard scheme.

Topics discussed in this section:

12.2.1 Introduction
12.2.2 Compression Function
12.2.3 Analysis
12.2

12.2.1 Introduction
Figure 12.6 Message digest creation SHA-512

12.3

12.2.1 Continued
Message Preparation
SHA-512 insists that the length of the original message be less
than 2128 bits.
Note
SHA-512 creates a 512-bit message digest out of a
message less than 2128.

12.4

12.2.1

Continued

Example 12.1

This example shows that the message length limitation of

SHA-512 is not a serious problem.
Suppose we need to send a message that is 2128 bits in length.
How long does it take for a communications network with a
data rate of 264 bits per second to send this message?
Solution
A communications network that can send 264 bits per second
is not yet available. Even if it were, it would take many years
to send this message. This tells us that we do not need to
worry about the SHA-512 message length restriction.
12.5

12.2.1

Continued

Example 12.2
This example also concerns the message length in SHA-512. How many
pages are occupied by a message of 2128 bits?

Solution
Suppose that a character is 32, or 26, bits. Each page is less than 2048, or
approximately 212, characters. So 2128 bits need at least 2128 / 218, or 2110,
pages. This again shows that we need not worry about the message
length restriction.

12.6

Secure Hash Algorithm

Developed by NIST, specified in the Secure Hash

Standard (SHS, FIPS Pub 180), 1993
SHA is specified as the hash algorithm in the Digital
Signature Standard (DSS), NIST

SHA Version

12.8

General Logic

Input message must be < 264 bits

not really a problem

Message is processed in 512-bit blocks

sequentially
Message digest is 160 bits
SHA design is similar to MD5, but a lot stronger

Basic Steps
Step1: Padding
Step2: Appending length as 64 bit unsigned
Step3: Initialize MD buffer 5 32-bit words
Store in big endian format, most significant bit in low address

A|B|C|D|E
A = 67452301
B = efcdab89
C = 98badcfe
D = 10325476
E = c3d2e1f0

Basic Steps...
Step 4: the 80-step processing of 512-bit blocks 4
rounds, 20 steps each.
Each step t (0 <= t <= 79):

Input:

Wt a 32-bit word from the message

Kt a constant

ABCDE: current MD

Output:

ABCDE: new MD

12.12

12.13

Basic Steps...

Only 4 per-round distinctive additive constants

0 <=t<= 19 Kt = 5A827999
20<=t<=39 Kt = 6ED9EBA1
40<=t<=59 Kt = 8F1BBCDC
60<=t<=79 Kt = CA62C1D6

12.2.1 Continued

Figure 12.7 Padding and length field in SHA-512

12.15

12.2.1

Continued

Example 12.3
What is the number of padding bits if the length of the original message
is 2590 bits?
Solution
We can calculate the number of padding bits as follows:

The padding consists of one 1 followed by 353 0s.

12.16

12.2.1

Continued

Example 12.4

Do we need padding if the length of the original message is

already a multiple of 1024 bits?

Solution
Yes we do, because we need to add the length field. So
padding is needed to make the new block a multiple of 1024
bits.

12.17

12.2.1

Continued

Example 12.5

What is the minimum and maximum number of padding bits

that can be added to a message?
Solution
a. The minimum length of padding is 0 and it happens when
(M 128) mod 1024 is 0. This means that |M| = 128 mod
1024 = 896 mod 1024 bits. In other words, the last block in
the original message is 896 bits. We add a 128-bit length
field to make the block complete.

12.18

12.2.1
Example 12.5

Continued
Continued

b) The maximum length of padding is 1023 and it happens

when (|M| 128) = 1023 mod 1024. This means that the
length of the original message is |M| = (128 1023) mod
1024 or the length is |M| = 897 mod 1024.
In this case, we cannot just add the length field because the
length of the last block exceeds one bit more than 1024. So
we need to add 127 bits to complete this block and create a
second block of 896 bits. Now the length can be added to
make this block complete.
12.19

12.2.1 Continued
Words
Figure 12.8 A message block and the digest as words

12.20

12.2.1 Continued
Word Expansion
Figure 12.9 Word expansion in SHA-512

12.21

12.2.1

Continued

Example 12.6
Show how W60 is made.
Solution
Each word in the range W16 to W79 is made from four previously-made
words. W60 is made as

12.22

12.2.1 Continued
Message Digest Initialization

12.23

12.2.2 Compression Function

Figure 12.10 Compression function in SHA-512

12.24

12.2.2 Continued
Figure 12.11 Structure of each round in SHA-512

12.25

12.2.2 Continued
Majority Function

Conditional Function

Rotate Functions

12.26

12.2.2 Continued

12.27

12.2.2 Continued
There are 80 constants, K0 to K79, each of 64 bits. Similar
These values are calculated from the first 80 prime numbers
(2, 3,, 409). For example, the 80th prime is 409, with the
cubic root (409)1/3 = 7.42291412044. Converting this number
to binary with only 64 bits in the fraction part, we get

The fraction part: (6C44198C4A475817)16

12.28

12.2.2

Continued

Example 12.7
We apply the Majority function on buffers A, B, and C. If the leftmost
hexadecimal digits of these buffers are 0x7, 0xA, and 0xE, respectively,
what is the leftmost digit of the result?
Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1.
b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.
The result is 1110, or 0xE in hexadecimal.
12.29

12.2.2

Continued

Example 12.8
We apply the Conditional function on E, F, and G buffers. If the
leftmost hexadecimal digits of these buffers are 0x9, 0xA, and 0xF
respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. The result is F1, which is 1.
b. The second bits are 0, 0, and 1. The result is G2, which is 1.
c. The third bits are 0, 1, and 1. The result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F4, which is 0.
The result is 1110, or 0xE in hexadecimal.
12.30